Topic-specific policies
ISO/IEC TR 27550


Search this site
 

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >

 

ISO/IEC TR 27550:2019 — Information technology — Security techniques — Privacy engineering for system life cycle processes

 

Abstract

“ISO/IEC TR 27550 provides privacy engineering guidelines to help organizations integrate recent advances in privacy engineering into system life cycle processes. It describes:
    • the relationship between privacy engineering and other engineering viewpoints (system and security engineering, risk management);
    • privacy engineering activities in key engineering processes such as knowledge and risk management, requirement analysis, and architecture design.
       

    The audience includes all involved in the development, implementation or operation of systems that need privacy consideration, as well as managers in organizations responsible for privacy, development, product management, marketing, and operations.”

[Source: SC27 Standing Document 11 (2021)]
 

Introduction

‘Privacy engineering’ involves taking account of privacy during the entire cradle-to-grave lifecycle of IT systems and the associated processes, such that privacy is and remains an integral part of their function.

 

Scope of the standard

This is an IT security standard about engineering IT systems to satisfy privacy requirements relating to the protection of personal data.

 

Content of the standard

The standard:

  • Discusses how privacy engineering supports system and security engineering, information risk management, knowledge management etc.
  • Elaborates on conceptual principles such as privacy-by-design and privacy-by-default, important design goals noted in GDPR and elsewhere;
  • Elaborates on the processes for identifying, evaluating and treating privacy risks in the course of IT systems design;
  • Explains how IT systems can be engineered to support and satisfy the OECD privacy principles which form the basis of most privacy laws and regulations.

 

Status

The standard was published as a Technical Report in 2019.

 

Personal notes

The procedures for operating, using, monitoring, managing and maintaining IT systems and their privacy controls are just as important as the technical controls themselves, and also benefit from being systematically developed (specified, designed, documented, mandated, operated, monitored, maintained ...): it is a good thing this standard is not myopically focused on the technology.

 

< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2021 IsecT Ltd.